CVE-2015-2994
published 2015-06-08CVE-2015-2994: Unrestricted file upload vulnerability in ChangePhoto.jsp in SysAid Help Desk before 15.2 allows remote administrators to execute arbitrary code by uploading a…
PriorityP261medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
49.79%
98.8th percentile
Unrestricted file upload vulnerability in ChangePhoto.jsp in SysAid Help Desk before 15.2 allows remote administrators to execute arbitrary code by uploading a file with a .jsp extension, then accessing it via a direct request to the file in icons/user_photo/.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sysaid | sysaid | <= 15.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on HTTP GET requests to files under icons/user_photo/ with a .jsp extension, which indicates post-upload webshell execution. ↗
- →The exploit response body contains the string 'parent.glSelectedImageUrl' with the uploaded file path — monitor HTTP responses from ChangePhoto.jsp for this pattern to identify successful uploads. ↗
- →Version fingerprinting: the exploit checks for CSS version string matching 'css/master.css?v14.4' in errorInSignUp.htm to confirm a vulnerable SysAid instance. ↗
- →The Metasploit module targets SysAid on port 8080 by default under the /sysaid path; monitor for authentication (POST to Login.jsp) followed immediately by a multipart upload to ChangePhoto.jsp from the same source IP. ↗
- ·Exploitation requires valid administrator credentials; the vulnerability alone is not unauthenticated. A related auxiliary module may be used to create an admin account as a prerequisite step. ↗
- ·The module has only been tested against SysAid v14.4 on Linux and Windows; behavior on other versions is unconfirmed. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SysAid Help Desk 14.4 - Multiple Vulnerabilities
exploitdb·2015-06-10·CVSS 7.5
CVE-2015-3001 [HIGH] SysAid Help Desk 14.4 - Multiple Vulnerabilities
SysAid Help Desk 14.4 - Multiple Vulnerabilities
---
>> Multiple vulnerabilities in SysAid Help Desk 14.4
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security
Disclosure: 03/06/2015 / Last updated: 10/06/2015
>> Background on the affected product:
"SysAid is an ITSM solution that offers all the essentials, with everything you need for easy and efficient IT support and effective help desk operations. Its rich set of features includes a powerful service desk, asset management and discovery, self-service, and easy-to-use tools for understanding and optimizing IT performance."
Metasploit modules that exploit #1, #2, #3, #4, #5 and #6 have been released and should be integrated in the Metasploit framework soon.
All vulnerabilities affect both the Windows and Linux v
Exploit-DB
SysAid Help Desk Administrator Portal < 14.4 - Arbitrary File Upload (Metasploit)
exploitdb·2015-06-03
CVE-2015-2994 SysAid Help Desk Administrator Portal < 14.4 - Arbitrary File Upload (Metasploit)
SysAid Help Desk Administrator Portal 'SysAid Help Desk Administrator Portal Arbitrary File Upload',
'Description' => %q{
This module exploits a file upload vulnerability in SysAid Help Desk.
The vulnerability exists in the ChangePhoto.jsp in the administrator portal,
which does not correctly handle directory traversal sequences and does not
enforce file extension restrictions. While an attacker needs an administrator
account in order to leverage this vulnerability, there is a related Metasploit
auxiliary module which can create this account under some circumstances.
This module has been tested in SysAid v14.4 in both Linux and Windows.
},
'Author' =>
[
'Pedro Ribeiro ' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-2994'],
['UR
Metasploit
SysAid Help Desk Administrator Portal Arbitrary File Upload
metasploit
SysAid Help Desk Administrator Portal Arbitrary File Upload
SysAid Help Desk Administrator Portal Arbitrary File Upload
This module exploits a file upload vulnerability in SysAid Help Desk. The vulnerability exists in the ChangePhoto.jsp in the administrator portal, which does not correctly handle directory traversal sequences and does not enforce file extension restrictions. While an attacker needs an administrator account in order to leverage this vulnerability, there is a related Metasploit auxiliary module which can create this account under some circumstances. This module has been tested in SysAid v14.4 in both Linux and Windows.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/132138/SysAid-Help-Desk-14.4-Code-Execution-Denial-Of-Service-Traversal-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Jun/8http://www.securityfocus.com/archive/1/535679/100/0/threadedhttp://www.securityfocus.com/bid/75038https://www.sysaid.com/blog/entry/sysaid-15-2-your-voice-your-service-deskhttp://packetstormsecurity.com/files/132138/SysAid-Help-Desk-14.4-Code-Execution-Denial-Of-Service-Traversal-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Jun/8http://www.securityfocus.com/archive/1/535679/100/0/threadedhttp://www.securityfocus.com/bid/75038https://www.sysaid.com/blog/entry/sysaid-15-2-your-voice-your-service-desk
2015-06-08
Published